Kalin KOZHUHAROV wrote:
> Nico Kadel-Garcia wrote:
>> Matt England wrote:
>>> Are authentication passwords given to update a repo that is checked
>>> out via "http://" vs "https://" secure, in the sense that their
>>> transmission is encrypted?
>
>> Via HTTPS, yes. via HTTP, no. This is why HTTP should frankly never
>> be used.
>
> Well, let me give you a few examples where http is useful:
> 1. A VPN endpoint and SVN/HTTP server on the same machine, no acces
> except through the (encrypted) VPN
> 2. A physically secure and isolated (from the Net) LAN
> 3. Anonymous (RO) public repositories
>
> Just my 3 yen :-)
>
> Kalin.
Not a single one of these require HTTP instead of HTTPS. There's just no
excuse for it, except possibly that you don't want people whining that "I
have to click to accept the unsigned key because you're too cheap to buy us
an authenticated SSL key, boo-hoo".
It's like sending people passwords via email. It's so dangerous in so many
cases that there's just no excuse for doing it, even when it's relatively
safe.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Apr 26 20:27:20 2006